Password manager hacked (why you should not use password managers)

One of the leading password management tools was attacked according to this LastPass Post.

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed

The problem with password managers is the possibility that they can be compromised thereby leaving all of your sites vulnerable.

The problem is, how do you manage the various passwords.?

Let’s start with a few assumptions.

You should not use the same password on more than one site. For example, if someone compromises your Paypal Password and you used that password on ebay and Amazon, those accounts could be hacked.

MOST password requirements will require/allow the following

10 characters

upper and lower case

at least one special character.

One thing you can do is to create an algorithm based on the name of the site. There are endless ways to do this.

For example, you could use an algorithm such as the following to encode your password

Take the second letter of the site name. If it is a-g then $ otherwise #

Take the first letter of the site name – vowels are 1, consonants 3

Take the third letter of the name, move ahead 4 characters and cap that.

etc.

So something like a password for Amazon would start out #1E

If you know the rules then you can figure out the site name anywhere. One problem occurs when you have to change the password periodically. If that is the case, change the passwords at the end or beginning and keep a record of that in an encrypted document.

The other problem is the exception where the site has non standard password rules, Again, these exceptions are rare and can be managed.

The other key to security is the IDIOTIC ‘security questions’. Didn’t the morons who came up with that idea hear of genealogy and classmates.com? “What is your mother’s maiden name?”.. Du-oh – you can often find that online. If you put in wrong answers, for example, saying that your mother’s maiden name was Smith when it was Jones, might result in you not being able to remember that.

One solution would be to do something like make the answer the third and fifth words of the security question. That is a bit risky. There are other ways of concocting an answer that would not be googleable yet would be easy for you to remember.

UPDATE Dec 2017 – There have been a number of facebook posts asking questions like “What was your first car?”.. People eagerly reply in the comments. What they don’t realize is that they are actually giving an answer to one of the frequently used ‘security questions’.